MdZddlmZddlmZddlmZddlZddlmZddl m Z ddl m Z dd l mZdd l mZdd lmZddlm Zdd lmZdd lmZddlmZGdde j2ZdZy)z>A simple auth command to bootstrap authentication with oauth2.)absolute_import)division)unicode_literalsN)service_account)base) exceptions)log) properties) console_io)store)encoding)filesc&eZdZdZedZdZy)ActivateServiceAccountaAuthorize access to Google Cloud with a service account. To allow `gcloud` (and other tools in Google Cloud CLI) to use service account credentials to make requests, use this command to import these credentials from a file that contains a private authorization key, and activate them for use in `gcloud`. {command} serves the same function as `gcloud auth login` but uses a service account rather than Google user credentials. For more information on authorization and credential types, see: [](https://cloud.google.com/sdk/docs/authorizing). _Key File_ To obtain the key file for this command, use either the [Google Cloud Console](https://console.cloud.google.com) or `gcloud iam service-accounts keys create`. The key file can be .json (preferred) or .p12 (legacy) format. In the case of legacy .p12 files, a separate password might be required and is displayed in the Console when you create the key. _Credentials_ Credentials will also be activated (similar to running `gcloud config set account [ACCOUNT_NAME]`). If a project is specified using the `--project` flag, the project is set in active configuration, which is the same as running `gcloud config set project [PROJECT_NAME]`. Any previously active credentials, will be retained (though no longer default) and can be displayed by running `gcloud auth list`. If you want to delete previous credentials, see `gcloud auth revoke`. _Note:_ Service accounts use client quotas for tracking usage. ## EXAMPLES To authorize `gcloud` to access Google Cloud using an existing service account while also specifying a project, run: $ {command} SERVICE_ACCOUNT@DOMAIN.COM \ --key-file=/path/key.json --project=PROJECT_ID c|jddd|jddd|j}|jd d |jd d dy)zSet args for serviceauth.account?z&E-mail address of the service account.)nargshelpz --key-filezPath to the private key file.T)rrequired--password-filezbPath to a file containing the password for the service account private key (only for a .p12 file).)rz--prompt-for-password store_truezSPrompt for the password for the service account private key (only for a .p12 file).)actionrN) add_argumentadd_mutually_exclusive_group)parsergroups ,lib/surface/auth/activate_service_account.pyArgszActivateServiceAccount.ArgsPs  EG  =!%'  / / 1E (79 .|CEcZt|j\}}|rtj|}|js |j rt jdd|j}|jr|j|k7rt jdd|j}|st jddd}|jr/ tj|jj}n!|j rt!j"d}tj$|||} t'j(|||j4}|r8t7j8t6j:j<j4|t.j>jAd jC|y#tj$r}t jd|d}~wwxYw#t*j,$r%}t.j0j3|d}~wwxYw) z#Create service account credentials.rz8A .json service account key does not require a password.ACCOUNTz|The given account name does not match the account name in the key file. This argument can be omitted when using .json keys.z+An account is required when using .p12 keysNz Password: )passwordz0Activated service account credentials for: [{0}])" _IsJsonFilekey_fileauth_service_account CredentialsFromAdcDictGoogleAuth password_fileprompt_for_passwordc_excInvalidArgumentExceptionservice_account_emailrRequiredArgumentExceptionrReadFileContentsstripErrorUnknownArgumentExceptionr PromptPasswordCredentialsFromP12Keyc_storeActivateCredentialscreds_exceptionsTokenRefreshErrorr file_only_logger exceptionprojectr PersistPropertyVALUEScorestatusPrintformat) selfargs file_contentis_jsoncredrr#er:s rRunzActivateServiceAccount.Runas( 6L' ! B B d  t77,,  FH H**g $,,'1,,  IJ J  g -- DF Fh   E++D,>,>?EEG(  # #,,\: ! 7 7 (4d  !!'40 llG  !2!2!7!7!?!?IJJGfWo'%{{ E../@!D D E  - -  $$Q'  s0-G6G2G/G**G/2H* H%%H*N)__name__ __module__ __qualname____doc__ staticmethodrrGr rrr$s#)VEE -'r rc$tj|d} tjt j |dfS#t $rC}|jdr%tjdj||Yd}~|dfSd}~wwxYw)z9Check and validate if given filename is proper json file.T)binaryz.jsonz!Could not read json file {0}: {1}NF) r ReadFromFileOrStdinjsonloadsr Decode ValueErrorendswithr&BadCredentialFileExceptionr@)filenamecontentrFs rr$r$s  * *8D A'C ::hoog. / 55 C! ; ; - 4 4Xq A CC" % Cs)A B 6B  B)rK __future__rrrrQgooglecloudsdk.api_lib.authrr&googlecloudsdk.callioperrr*googlecloudsdk.corer r googlecloudsdk.core.consoler googlecloudsdk.core.credentialsr6r r4googlecloudsdk.core.utilr r SilentCommandrr$rMr rrasO E&' O(7#*2J<-*j'T//j'Z r